tlsopenssl: for psk added a dynamic callback

- GetTlsPskByFullyQualifiedResourceNameCb should give back the psk for a given identity based on the appropriate config-resource - first implementation in director - unittest covers console-director connection
bareos · Sep 20, 2018 · 23b0064 · 23b0064
1 parent 41cc568
commit 23b0064
Show file tree

Hide file tree

Showing 21 changed files with 166 additions and 104 deletions.
diff --git a/core/src/console/console_conf.cc b/core/src/console/console_conf.cc
@@ -113,6 +113,17 @@ static ResourceTable resources[] = {
    { "Director", dir_items, R_DIRECTOR, sizeof(DirectorResource), [] (void *res){ return new((DirectorResource *) res) DirectorResource(); } },
    { NULL, NULL, 0 }
 };
+
+bool GetTlsPskByFullyQualifiedResourceName(const char *fq_name_, std::string &psk_return_value)
+{
+//   char *fq_name_buffer = bstrdup(fq_name_);
+//   UnbashSpaces(fq_name_buffer);
+//   std::string fq_name(fq_name_buffer);
+//   free(fq_name_buffer);
+
+   return false;
+}
+
 } /* namespace console */
 
 using namespace console;
@@ -422,13 +433,3 @@ bool PrintConfigSchemaJson(PoolMem &buffer)
 }
 #endif
 } /* namespace console */
-
-bool GetTlsResourceByFullyQualifiedResourceName(const char *fq_name_, std::string &psk_return_value)
-{
-//   char *fq_name_buffer = bstrdup(fq_name_);
-//   UnbashSpaces(fq_name_buffer);
-//   std::string fq_name(fq_name_buffer);
-//   free(fq_name_buffer);
-
-   return false;
-}
diff --git a/core/src/dird/dird_conf.cc b/core/src/dird/dird_conf.cc
@@ -51,6 +51,7 @@
 #include "dird.h"
 #include "dird/inc_conf.h"
 #include "dird/dird_globals.h"
+#include "lib/tls_conf.h"
 
 namespace directordaemon {
 
@@ -3779,6 +3780,35 @@ static void PrintConfigCb(ResourceItem *items, int i, PoolMem &cfg_str, bool hid
    }
 }
 
+bool GetTlsPskByFullyQualifiedResourceName(const char *fq_name_, std::string &psk_return_value)
+{
+   char *fq_name_buffer = bstrdup(fq_name_);
+   UnbashSpaces(fq_name_buffer);
+   std::string fq_name(fq_name_buffer);
+   free(fq_name_buffer);
+
+   const std::string ua("*UserAgent*");
+
+   bool success = false;
+   if (fq_name == ua) {
+      psk_return_value = me->password.value;
+      success = true;
+   } else {
+      ConsoleResource *res = reinterpret_cast<ConsoleResource*>(GetResWithName(R_CONSOLE, fq_name.c_str()));
+      if(res) {
+         psk_return_value = res->password.value;
+         success = true;
+      }
+   }
+   return success;
+}
+
+static void ConfigInitLateCb(ConfigurationParser &my_config)
+{
+  DirectorResource *dir_resource = (DirectorResource *)GetNextRes(R_DIRECTOR, NULL);
+  dir_resource->tls_psk.GetTlsPskByFullyQualifiedResourceNameCb = GetTlsPskByFullyQualifiedResourceName;
+}
+
 ConfigurationParser *InitDirConfig(const char *configfile, int exit_code)
 {
    return new ConfigurationParser (
@@ -3796,7 +3826,8 @@ ConfigurationParser *InitDirConfig(const char *configfile, int exit_code)
                 resources,
                 res_head,
                 default_config_filename.c_str(),
-                "bareos-dir.d");
+                "bareos-dir.d",
+                ConfigInitLateCb);
 }
 
 /* **************************************************************************** */
@@ -4430,26 +4461,3 @@ bool SaveResource(int type, ResourceItem *items, int pass)
    }
    return true;
 }
-
-bool GetTlsResourceByFullyQualifiedResourceName(const char *fq_name_, std::string &psk_return_value)
-{
-   char *fq_name_buffer = bstrdup(fq_name_);
-   UnbashSpaces(fq_name_buffer);
-   std::string fq_name(fq_name_buffer);
-   free(fq_name_buffer);
-
-   const std::string ua("*UserAgent*");
-
-   bool success = false;
-   if (fq_name == ua) {
-      psk_return_value = me->password.value;
-      success = true;
-   } else {
-      ConsoleResource *res = reinterpret_cast<ConsoleResource*>(GetResWithName(R_CONSOLE, fq_name.c_str()));
-      if(res) {
-         psk_return_value = res->password.value;
-         success = true;
-      }
-   }
-   return success;
-}
diff --git a/core/src/dird/dird_conf.h b/core/src/dird/dird_conf.h
@@ -663,6 +663,7 @@ extern "C" char *job_code_callback_director(JobControlRecord *jcr, const char*);
 const char *get_configure_usage_string();
 void DestroyConfigureUsageString();
 bool PopulateDefs();
+bool GetTlsPskByFullyQualifiedResourceName(const char *fq_name_, std::string &psk_return_value);
 
 } /* namespace directordaemon */
 #endif // BAREOS_DIRD_DIRD_CONF_H_
diff --git a/core/src/filed/filed_conf.cc b/core/src/filed/filed_conf.cc
@@ -312,6 +312,16 @@ bool PrintConfigSchemaJson(PoolMem &buffer)
 }
 #endif
 
+bool GetTlsPskByFullyQualifiedResourceName(const char *fq_name_, std::string &psk_return_value)
+{
+//   char *fq_name_buffer = bstrdup(fq_name_);
+//   UnbashSpaces(fq_name_buffer);
+//   std::string fq_name(fq_name_buffer);
+//   free(fq_name_buffer);
+
+   return false;
+}
+
 /* **************************************************************************** */
 } /* namespace filedaemon */
 /* **************************************************************************** */
@@ -677,13 +687,3 @@ bool SaveResource(int type, ResourceItem *items, int pass)
    }
    return (error == 0);
 }
-
-bool GetTlsResourceByFullyQualifiedResourceName(const char *fq_name_, std::string &psk_return_value)
-{
-//   char *fq_name_buffer = bstrdup(fq_name_);
-//   UnbashSpaces(fq_name_buffer);
-//   std::string fq_name(fq_name_buffer);
-//   free(fq_name_buffer);
-
-   return false;
-}
diff --git a/core/src/filed/filed_conf.h b/core/src/filed/filed_conf.h
@@ -125,6 +125,7 @@ union UnionOfResources {
 
 ConfigurationParser *InitFdConfig(const char *configfile, int exit_code);
 bool PrintConfigSchemaJson(PoolMem &buffer);
+bool GetTlsPskByFullyQualifiedResourceName(const char *fq_name_, std::string &psk_return_value);
 
 } /* namespace filedaemon */
 #endif /* BAREOS_FILED_FILED_CONF_H_ */
diff --git a/core/src/lib/bsock.cc b/core/src/lib/bsock.cc
@@ -495,7 +495,7 @@ bool BareosSocket::ParameterizeAndInitTlsConnection(TlsResource *tls_configurati
 
   if (tls_configuration->tls_psk.enable) {
     if (initiated_by_remote) {
-      tls_conn->SetTlsPskServerContext();
+      tls_conn->SetTlsPskServerContext(tls_configuration->tls_psk.GetTlsPskByFullyQualifiedResourceNameCb);
     } else {
       const PskCredentials psk_cred(identity, password);
       tls_conn->SetTlsPskClientContext(psk_cred);

diff --git a/core/src/lib/parse_conf.cc b/core/src/lib/parse_conf.cc
@@ -115,7 +115,8 @@ ConfigurationParser::ConfigurationParser(
                   ResourceTable *resources,
                   CommonResourceHeader **res_head,
                   const char* config_default_filename,
-                  const char* config_include_dir)
+                  const char* config_include_dir,
+                  void (*ParseConfigReadyCallback)(ConfigurationParser&))
    : ConfigurationParser()
 {
    cf_ = cf == nullptr ? "" : cf;
@@ -135,6 +136,7 @@ ConfigurationParser::ConfigurationParser(
    res_head_ = res_head;
    config_default_filename_ = config_default_filename == nullptr ? "" : config_default_filename;
    config_include_dir_ = config_include_dir == nullptr ? "" : config_include_dir;
+   ParseConfigReadyCallback_ = ParseConfigReadyCallback;
 }
 
 ConfigurationParser::~ConfigurationParser() {
@@ -162,7 +164,11 @@ bool ConfigurationParser::ParseConfig()
    }
    used_config_path_ = config_path.c_str();
    Dmsg1(100, "config file = %s\n", used_config_path_.c_str());
-   return ParseConfigFile(config_path.c_str(), NULL, scan_error_, scan_warning_);
+   bool success = ParseConfigFile(config_path.c_str(), NULL, scan_error_, scan_warning_);
+   if (ParseConfigReadyCallback_) {
+     ParseConfigReadyCallback_(*this);
+   }
+   return success;
 }
 
 bool ConfigurationParser::ParseConfigFile(const char *cf, void *caller_ctx, LEX_ERROR_HANDLER *ScanError,

diff --git a/core/src/lib/parse_conf.h b/core/src/lib/parse_conf.h
@@ -429,7 +429,8 @@ class DLL_IMP_EXP ConfigurationParser {
                   ResourceTable *resources,
                   CommonResourceHeader **res_head,
                   const char* config_default_filename,
-                  const char* config_include_dir);
+                  const char* config_include_dir,
+                  void (*DoneParseConfigCallback)(ConfigurationParser&) = nullptr);
 
    ~ConfigurationParser();
 
@@ -468,6 +469,7 @@ class DLL_IMP_EXP ConfigurationParser {
    bool use_config_include_dir_;                 /* Use the config include directory */
    std::string config_include_naming_format_;    /* Format string for file paths of resources */
    std::string used_config_path_;                /* Config file that is used. */
+   void (*ParseConfigReadyCallback_)(ConfigurationParser&);
 
    const char *get_default_configdir();
    bool GetConfigFile(PoolMem &full_path, const char *config_dir, const char *config_filename);
@@ -500,8 +502,6 @@ DLL_IMP_EXP void InitResource(int type, ResourceItem *item);
 DLL_IMP_EXP bool SaveResource(int type, ResourceItem *item, int pass);
 DLL_IMP_EXP bool StoreResource(int type, LEX *lc, ResourceItem *item, int index, int pass);
 DLL_IMP_EXP const char *res_to_str(int rcode);
-DLL_IMP_EXP bool GetTlsResourceByFullyQualifiedResourceName(const char *fq_name_, std::string &psk_return_value) __attribute__((weak));
-
 
 #ifdef HAVE_JANSSON
 /*

diff --git a/core/src/lib/tls.h b/core/src/lib/tls.h
@@ -28,6 +28,7 @@
 #define BAREOS_LIB_TLS_H_
 
 #include <bareos.h>
+#include "lib/tls_conf_psk.h"
 
 class BareosSocket;
 class JobControlRecord;
@@ -49,7 +50,7 @@ class Tls {
   static DLL_IMP_EXP Tls *CreateNewTlsContext(Tls::TlsImplementationType type);
 
   virtual DLL_IMP_EXP void SetTlsPskClientContext(const PskCredentials &credentials) = 0;
-  virtual DLL_IMP_EXP void SetTlsPskServerContext()                                  = 0;
+  virtual DLL_IMP_EXP void SetTlsPskServerContext(GetTlsPskByFullyQualifiedResourceNameCb_t cb) = 0;
 
   virtual DLL_IMP_EXP bool TlsPostconnectVerifyHost(JobControlRecord *jcr, const char *host)   = 0;
   virtual DLL_IMP_EXP bool TlsPostconnectVerifyCn(JobControlRecord *jcr,

diff --git a/core/src/lib/tls_conf_psk.h b/core/src/lib/tls_conf_psk.h
@@ -23,32 +23,40 @@
 #define BAREOS_LIB_TLS_CONF_PSK_H
 
 #include "lib/tls_psk_credentials.h"
+#include "lib/tls_conf_base.h"
+#include "lib/tls_conf_psk_callback.h"
+
+#include <bareos.h>
 
 class DLL_IMP_EXP TlsConfigPsk : public TlsConfigBase {
-public:
-   char *cipherlist; /* TLS Cipher List */
-
-   TlsConfigPsk() : TlsConfigBase(), cipherlist(nullptr) {}
-   ~TlsConfigPsk();
-
-   virtual uint32_t GetPolicy() const override;
-
-   /**
-    * Checks whether the given @param policy matches the configured value
-    * @param policy
-    * @return true if policy means enabled
-    */
-   static bool enabled(u_int32_t policy);
-
-   /**
-    * Checks whether the given @param policy matches the configured value
-    * @param policy
-    * @return true if policy means required
-    */
-   static bool required(u_int32_t policy);
-
-private:
-   static u_int32_t const policy_offset = 2;
+ public:
+  char *cipherlist; /* TLS Cipher List */
+
+  GetTlsPskByFullyQualifiedResourceNameCb_t GetTlsPskByFullyQualifiedResourceNameCb;
+
+  TlsConfigPsk() : TlsConfigBase(), cipherlist(nullptr), GetTlsPskByFullyQualifiedResourceNameCb(nullptr)
+  {
+  }
+  ~TlsConfigPsk();
+
+  virtual uint32_t GetPolicy() const override;
+
+  /**
+   * Checks whether the given @param policy matches the configured value
+   * @param policy
+   * @return true if policy means enabled
+   */
+  static bool enabled(u_int32_t policy);
+
+  /**
+   * Checks whether the given @param policy matches the configured value
+   * @param policy
+   * @return true if policy means required
+   */
+  static bool required(u_int32_t policy);
+
+ private:
+  static u_int32_t const policy_offset = 2;
 };
 
 #endif /* BAREOS_LIB_TLS_CONF_PSK_H */
diff --git a/core/src/lib/tls_conf_psk_callback.h b/core/src/lib/tls_conf_psk_callback.h
@@ -0,0 +1,29 @@
+/*
+   BAREOS® - Backup Archiving REcovery Open Sourced
+
+   Copyright (C) 2018-2018 Bareos GmbH & Co. KG
+
+   This program is Free Software; you can redistribute it and/or
+   modify it under the terms of version three of the GNU Affero General Public
+   License as published by the Free Software Foundation and included
+   in the file LICENSE.
+
+   This program is distributed in the hope that it will be useful, but
+   WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+   Affero General Public License for more details.
+
+   You should have received a copy of the GNU Affero General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+   02110-1301, USA.
+*/
+
+#ifndef BAREOS_LIB_TLS_CONF_PSK_CALLBACK_H
+#define BAREOS_LIB_TLS_CONF_PSK_CALLBACK_H 1
+
+#include <string>
+
+typedef bool (*GetTlsPskByFullyQualifiedResourceNameCb_t)(const char *fq_name_, std::string &psk_return_value);
+
+#endif /* BAREOS_LIB_TLS_CONF_PSK_CALLBACK_H */
diff --git a/core/src/lib/tls_gnutls.cc b/core/src/lib/tls_gnutls.cc
@@ -679,7 +679,7 @@ void TlsGnuTls::FreeTlsConnection() {}
 void TlsGnuTls::FreeTlsContext(std::shared_ptr<Tls> &ctx) {}
 
 void TlsGnuTls::SetTlsPskClientContext(const PskCredentials &credentials) {}
-void TlsGnuTls::SetTlsPskServerContext() {}
+void TlsGnuTls::SetTlsPskServerContext(GetTlsPskByFullyQualifiedResourceNameCb_t cb) {}
 
 bool TlsGnuTls::TlsPostconnectVerifyHost(JobControlRecord *jcr, const char *host) { return false; }
 bool TlsGnuTls::TlsPostconnectVerifyCn(JobControlRecord *jcr, const std::vector<std::string> &verify_list)

diff --git a/core/src/lib/tls_gnutls.h b/core/src/lib/tls_gnutls.h
@@ -36,7 +36,7 @@ class TlsGnuTls : public Tls
    DLL_IMP_EXP void FreeTlsContext(std::shared_ptr<Tls> &ctx);
 
    virtual DLL_IMP_EXP void SetTlsPskClientContext(const PskCredentials &credentials) override;
-   virtual DLL_IMP_EXP void SetTlsPskServerContext() override;
+   virtual DLL_IMP_EXP void SetTlsPskServerContext(GetTlsPskByFullyQualifiedResourceNameCb_t cb) override;
 
    virtual DLL_IMP_EXP bool TlsPostconnectVerifyHost(JobControlRecord *jcr, const char *host) override;
    virtual DLL_IMP_EXP bool TlsPostconnectVerifyCn(JobControlRecord *jcr, const std::vector<std::string> &verify_list) override;

diff --git a/core/src/lib/tls_openssl.cc b/core/src/lib/tls_openssl.cc
@@ -200,10 +200,12 @@ void TlsOpenSsl::SetTlsPskClientContext(const PskCredentials &credentials)
   }
 }
 
-void TlsOpenSsl::SetTlsPskServerContext()
+void TlsOpenSsl::SetTlsPskServerContext(GetTlsPskByFullyQualifiedResourceNameCb_t cb)
 {
   Dmsg0(50, "Preparing TLS_PSK SERVER callback\n");
 
+  SSL_CTX_set_ex_data(d_->openssl_ctx_, TlsOpenSslPrivate::SslCtxExDataIndex::kTlsOpenSslPrivate, (void*)cb);
+
   if (d_->openssl_ctx_) {
     SSL_CTX_set_psk_server_callback(d_->openssl_ctx_, TlsOpenSslPrivate::psk_server_cb);
   }

diff --git a/core/src/lib/tls_openssl.h b/core/src/lib/tls_openssl.h
@@ -21,6 +21,8 @@
 #ifndef BAREOS_LIB_TLS_OPENSSL_H_
 #define BAREOS_LIB_TLS_OPENSSL_H_
 
+#include "tls_conf_psk_callback.h"
+
 #include <bareos.h>
 #include <memory>
 
@@ -50,7 +52,7 @@ class TlsOpenSsl : public Tls {
                                   int port,
                                   const char *who) const override;
   DLL_IMP_EXP void SetTlsPskClientContext(const PskCredentials &credentials) override;
-  DLL_IMP_EXP void SetTlsPskServerContext() override;
+  DLL_IMP_EXP void SetTlsPskServerContext(GetTlsPskByFullyQualifiedResourceNameCb_t cb) override;
 
   DLL_IMP_EXP void SetCaCertfile(const std::string &ca_certfile) override;
   DLL_IMP_EXP void SetCaCertdir(const std::string &ca_certdir) override;